I'm still flailing about trying to get idtokens working on a new 9.0.12 schedd in my cluster.
I was finally able to get the schedd talking to the collector by issuing a new token with condor_token_create (and a long list of permissions), then signing it on the CM:
condor_token_create -identity
schedd@xxxxxxxxxxxxxxxxxxxxxxxx -authz DAEMON -authz UPDATE_SCHEDD_AD -authz READ -authz WRITE -authz QUERY_STARTD_ADS -authz UPDATE_AD_GENERIC -authz ADMINISTRATOR
However, I'm unable to get some CLI commands to work. Notably, the 'condor_status' command, when run as root, returns:
# condor_status
Error: communication error
SECMAN:2010:Received "DENIED" from server for user
condor@xxxxxxxxxxxxxxxxxxxxxxxx using method IDTOKENS.
The collector reports the following error:
04/25/22 16:41:03 DC_AUTHENTICATE: message authenticator enabled with key id ldas-condor:2734:1650922863:33339.
04/25/22 16:41:03 DC_AUTHENTICATE: Success.
04/25/22 16:41:03 DC_AUTHENTICATE: authentication of <10.13.5.58:20190> was successful but resulted in a limited authorization which did not include this command (5 QUERY_STARTD_ADS), so aborting.
...which seems odd considering that I explicitly included QUERY_STARTD_ADS in the token request above.
As a user, it won't even authenticate:
$ condor_status
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
AUTHENTICATE:1004:Failed to authenticate using FS
Any suggestions on where to look next?
--Mike
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}